The Latest Cyber Attacks Demonstrate the Need to Rethink Cybersecurity

May 24, 2020

Cyberattacks are on the rise and more and more enterprises fall victim to attacks each and every day. Take for example the recent high profile attacks on Gedia, a German automotive parts manufacturer and Travelex, a foreign currency exchange enterprise. Both businesses experienced disruption and claimed the attacks came from a known criminal group. The same group that was behind a series of attacks on companies using sophisticated malware that encrypts files, known as Sodinokibi or REvil. The criminal group also threatened to publish sensitive data from the car parts supplier on the internet, unless a ransom was paid.

Simply put, businesses are becoming attractive targets for digital extortion and are now on the radars of organized crime and criminal groups that are looking to make a quick buck off of the misery they can create. Both attacks demonstrate how vulnerable today’s businesses are when connected to the public internet and adequate protection is not deployed.

It is speculated that the attack on Travelex became possible because the company had failed to patch vulnerable VPN servers. Which is important to note, especially since the NIST’s National Vulnerability Database has published over 100 new CVEs (Common Vulnerabilities and Exposures) for VPNs since January of 2019, indicating that there may be many unpatched VPN servers in use today. Even more troubling is the fact that the root cause of the Gedia attack is still yet to be discovered, which means the security flaw may still exist.

Speculation aside, the root cause of most cyber-attacks can be traced back to unpatched systems, phishing, malicious code, or some other weak link in the security stack, such as compromised credentials. Knowing the root cause is only one part of the cybersecurity puzzle, The real question becomes “what can be done to prevent such attacks”?

The Cato Approach

Here at Cato Networks, we have developed a solution to the security problem of unpatched VPN servers. Remote users is just another “edge” along with branches, datacenters and cloud resources all connected and secured by the Cato global network. As the first implementation of the Gartner’s SASE (Secure Access Service Edge) architecture, Cato infrastructure is kept up-to-date and customers do not have to worry about applying patches or installing server-side security software, we take care of all of that. We also address the shortcomings of VPNs. Our client software replaces a traditional VPN and uses a Software Defined Perimeter (SDP) to allow only authorized users to access the private backbone.

Once connected to Cato, users are protected from attack as Cato inspects all network traffic, attachments, and files. Since most ransomware enters a network after a phishing attack or by a user downloading software from an embedded link, our platform would detect the malicious code and the associated SMB traffic and prevent the lateral movement of the malicious code. We can also detect traffic flows that attempt to contact the external addresses used by malicious software and block that traffic as well.

Ransomware and other malicious code can only impact an organization if it has a way to get on the network. Our platform eliminates the ability for malicious code to enter the network, thus defeating ransomware and other threats. Our SASE platform identifies known malicious code while it is in transit and blocks it and since our platform is a cloud service, it is constantly updated with the latest cyber security information, we take care of everything on the backend, including any patching or other updates.

In addition, Cato protects against the spread of ransomware and other types of malware introduced into a host by means outside of the secured Cato network. For example, users may introduce malware into their systems by connecting across a public Wi-Fi network (without using Cato mobile access solution) or by inserting an infected thumb drive in their systems.

Regardless of how hosts becomes infected, Cato detects and blocks the spread of malware by detecting anomalous traffic patterns. Cato monitors normal user behavior, such as the number of servers commonly accessed, typical traffic load, regular file extensions, and more. Once an anomaly occurs, Cato can either notify the customer or block various types of traffic from the abnormal host.

Cato also offers an additional layer of protection, since our server-side software is not available to the public (unlike VPN server software), hackers do not have access to the code to create exploits to the system. Since we handle everything on the backend, administrators no longer have to worry about maintaining firewalls, setting up secure branch access, or deploying secure web gateways, all of those elements are part of Cato’s service offering, helping to further reduce administrative overhead.

By moving to an SD-WAN built with SASE, enterprises can make most of their cybersecurity problems disappear. For more information, check out our advanced threat protection and get additional information on our next generation firewall.

Avidan Avraham

Avidan Avraham

Avidan is a Security Researcher in Cato Networks. Avidan has a strong interest in cybersecurity, from OS internals and reverse engineering to network protocols analysis and malicious traffic detection. Avidan is also a Big-data and machine learning enthusiast who enjoys solving complex problems related to this world. Previously he worked at IBM Trusteer and was responsible for a vast part of the company's detection and prevention capabilities: enterprise security threats & exploits, financial malware variants and more. Today, in Cato Research Labs, he's focusing on network based security research & novel methods for finding threats in enterprise network environments.